Kerberos 5 Release 1.12.3

The MIT Kerberos Team announces the availability of the
krb5-1.12.3 release. The detached PGP
signature is available without going through the download
page, if you wish to verify the authenticity of a distribution
you have obtained elsewhere.

You may also see the current full
list
of fixed bugs tracked in our RT bugtracking system.

DES transition

The Data Encryption Standard (DES) is widely recognized as
weak. The krb5-1.7 release contains measures to encourage sites
to migrate away from using single-DES cryptosystems. Among
these is a configuration variable that enables "weak" enctypes,
which now defaults to "false" beginning with krb5-1.8.

Major changes in 1.12.3 (2015-02-18)

This is a bugfix release. The krb5-1.12 release series is in
maintenance, and for new deployments, installers should prefer
the krb5-1.13 release series or later.

Major changes in 1.12.1 (2014-01-15)

Make KDC log service principal names more consistently
during some error conditions, instead of "<unknown server>"

Fix several bugs related to building AES-NI support on less common
configurations

Fix several bugs related to keyring credential caches

Major changes in 1.12 (2013-12-10)

Developer experience:

Add a plugin interface to control
krb5_aname_to_localname and krb5_kuserok behavior.

Add a plugin interface to control hostname-to-realm
mappings and the default realm.

Add GSSAPI extensions for constructing MIC tokens using
IOV lists.

Administrator experience:

Principal entries may now refer to the names of policies
which do not exist as policy objects in the database.
Policy objects may now be deleted whether or not
principals reference their names. A principal which
references a nonexistent policy name will behave as if it
does not reference a policy.

Add support for having no long-term keys for a
principal. This can be useful if the principal is only
intended to be used with PKINIT or OTP preauthentication.

Add collection support to the KEYRING credential cache
type on Linux, and add support for persistent user
keyrings and larger credentials on systems which support
them.